Opened 5 months ago
Closed 5 months ago
#63684 closed defect (bug) (fixed)
'edit_user' capability returns true for user_id = 0 when logged out.
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 6.9 | Priority: | normal |
| Severity: | minor | Version: | |
| Component: | Role/Capability | Keywords: | has-patch has-unit-tests |
| Focuses: | Cc: |
Description
Unexpectedly the edit_user capability returns truthful for $user_id = 0 when the user is not logged in.
This is visualised by wp-cli, but is unrelated to the cli-nature:
wp> is_user_logged_in(); bool(false) wp> get_current_user_id(); int(0) wp> current_user_can( 'edit_user', 0 ); bool(true)
This can cause some unexpected side-effects for some code that is checking whether the current user can edit themselves, and has foregone a logged in check in favour of the capability check.
The root-cause of this appears to be https://github.com/WordPress/wordpress-develop/blob/trunk/src/wp-includes/capabilities.php#L63-L66 which could be enhanced with && $user_id or && $user_id > 0.
This has been run past the security team for posting publicly as a hardening ticket
Change History (3)
This ticket was mentioned in PR #9238 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago
#1
- Keywords has-patch has-unit-tests added; needs-patch needs-unit-tests removed
In 60491: